Description
NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.
Published: 2026-06-04
Score: 5.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NAVTOR NavBox versions up to 4.16.1.20 contain hard‑coded credentials embedded in the Windows Communication Foundation (WCF) SOAP interface. A local attacker who can access the machine can extract these credentials and authenticate against the SOAP endpoint. Once authenticated, the attacker gains access to privileged WCF methods that enable writing or overwriting files in application‑defined directories, effectively allowing them to modify critical application data or configurations. This vulnerability is a classic example of CWE‑798, where hard‑coded passwords undermine authentication security and can be leveraged for local privilege escalation.

Affected Systems

The affected product is NAVTOR NavBox. All releases up to and including 4.16.1.20 are impacted. NAVTOR has provided a patch in version 4.17.2.6 and later, and systems that maintain an active NavBox connection will automatically receive the update; no manual action is required for those instances.

Risk and Exploitability

The CVSS score for this flaw is 5.8, indicating moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires local access to the host or the ability to communicate with the SOAP interface, which is typically restricted to local network or privileged users. Attackers with such access could elevate their privileges to write arbitrary files within the application’s boundaries. The patch mitigates the issue, thus the risk is reduced for systems that have applied the update.

Generated by OpenCVE AI on June 4, 2026 at 21:20 UTC.

Remediation

Vendor Solution

NAVTOR has released a patch for NavBox in April 2026. Version 4.17.2.6 and later includes the fix. Users that have an active NavBox connection will automatically be kept up to date with the latest version. No user action required.

OpenCVE Recommended Actions

  • Install the NavBox patch (version 4.17.2.6 or later).
  • Ensure that any system maintaining a NavBox connection is actively updating, as updates are applied automatically.
  • If the SOAP functionality is not required for your deployment, disable it to eliminate the attack surface for local credential extraction.

Generated by OpenCVE AI on June 4, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Navtor
Navtor navbox
Vendors & Products Navtor
Navtor navbox

Thu, 04 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths.
Title NAVTOR NavBox Use of Hard-coded Credentials
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Navtor Navbox
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-04T19:44:53.466Z

Reserved: 2026-01-27T23:33:47.825Z

Link: CVE-2026-21404

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T20:16:57.083

Modified: 2026-06-04T20:16:57.083

Link: CVE-2026-21404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T23:30:25Z

Weaknesses